aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall
Commit message (Collapse)AuthorAgeFilesLines
* firewall: update to latest git HEADHans Dedecker2019-01-031-3/+3
| | | | | | | | 70f8785 zones: add zone identifying local traffic in raw OUTPUT chain 6920de7 utils: Free args in __fw3_command_pipe() 6ba9105 options: redirects: Fix possible buffer overflows Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADHans Dedecker2018-12-091-3/+3
| | | | | | 14589c8 redirects: properly handle src_dport in SNAT rules Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* package/: fix $(PROJECT_GIT) usageJohn Crispin2018-10-111-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* firewall: Install config files as 600Rosen Penev2018-10-111-6/+6
| | | | | | None of the files in firewall are used by non-root. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* firewall: bump to git HEADStijn Tintel2018-08-131-3/+3
| | | | | | | | 12a7cf9 Add support for DSCP matches and target 06fa692 defaults: use a generic check_kmod() function 1c4d5bc defaults: fix check_kmod() function Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* firewall: update to latest git HEADJo-Philipp Wich2018-07-261-3/+3
| | | | | | aa8846b ubus: avoid dumping interface state with NULL message Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall3: update to latest git HEADHans Dedecker2018-07-171-3/+3
| | | | | | d2bbeb7 firewall3: make reject types selectable by user Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: compile with LTO enabledFelix Fietkau2018-07-131-2/+2
| | | | | | Reduces .ipk size on MIPS from 41.6k to 41.1k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* fw3: update to latest git HEADJohn Crispin2018-07-021-3/+3
| | | | | | 72684e5 firewall3: Fix GCC8 warnings by replacing sprintf with snprintf Signed-off-by: John Crispin <john@phrozen.org>
* firewall: update to latest git HEADHans Dedecker2018-05-251-3/+3
| | | | | | | 30463d0 zones: add interface/subnet bound LOG rules 0e77bf2 options: treat time strings as UTC times Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall3: update to latest git HEADJohn Crispin2018-05-141-4/+4
| | | | | | | | b45e162 helpers: fix the set_helper in the rule structure f742ba7 helpers.conf: support also tcp in the CT sip helper 08b2c61 helpers: make the proto field as a list rather than one option Signed-off-by: John Crispin <john@phrozen.org>
* firewall: update to the latest version, adds hw flow offload supportFelix Fietkau2018-04-051-3/+3
| | | | | | 35b3e74 defaults: add support for setting --hw on the xt_FLOWOFFLOAD rule Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: update to latest git HEADHans Dedecker2018-03-221-3/+3
| | | | | | | | | 5cdf15e helpers.conf: add CT rtsp helper d5923f1 Reword rule comments c1a295a defaults: add support for xt_FLOWOFFLOAD rule 41c2ab5 ipsets: add support for specifying entries Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: bump to git HEADStijn Tintel2018-03-081-3/+5
| | | | | | | | | | | 392811a ubus: let fw3_ubus_address() return the number of resolved addresses 359adcf options: emit an empty address item when resolving networks fails 503db4a zones: disable masq when resolving of all masq_src or masq_dest items failed f50a524 helpers: implement explicit CT helper assignment support a3ef503 zones: allow per-table log control 8ef12cb iptables: fix possible NULL pointer access on constructing rule masks Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* firewall: depend on kmod-nf-conntrack6Matthias Schiffer2018-02-021-2/+2
| | | | | | | | Firewall rules don't work as intended without conntrack support. The recent cleanup removed the kmod-nf-conntrack6 dependency from the iptables modules; add it to the firewall package instead. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* treewide: replace LEDE_GIT with PROJECT_GITJo-Philipp Wich2018-01-101-1/+1
| | | | | | | Remove LEDE_GIT references in favor to the new name-agnostic PROJECT_GIT variable. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADHans Dedecker2017-11-071-3/+3
| | | | | | c430937 ubus: parse the firewall data within the service itself Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: fix stray continue statementJo-Philipp Wich2017-05-271-4/+4
| | | | | | | The previous commit introduced a faulty continue statement which might lead to faulty rules not getting freed or reported. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: extend ubus support, exception handling, parse fixesJo-Philipp Wich2017-05-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | Update to latest Git HEAD in order to import a number of fixes and other improvements: 3d2c18a options: improve handling of negations when parsing space separated values 0e5dd73 iptables: support -i, -o, -s and -d in option extra 4cb06c7 ubus: increase ubus network interface dump timeout e5dfc82 iptables: add exception handling f625954 firewall3: add check_snat() function 7d3d9dc firewall3: display the section type for UBUS rules 53ef9f1 firewall3: add UBUS support for include scripts 5cd4af4 firewall3: add UBUS support for ipset sections 02d6832 firewall3: add UBUS support for forwarding sections 0a7d36d firewall3: add UBUS support for redirect sections d44f418 firewall3: add fw3_attr_parse_name_type() function e264c8e firewall3: replace warn_rule() by warn_section() 6039c7f firewall3: check the return value of fw3_parse_options() Fixes FS#548, FS#806, FS#811. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to the latest version, fixes a gcc7 build errorFelix Fietkau2017-05-251-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: document rules for IPSec ESP/ISAKMP with 'name' optionYousong Zhou2017-03-282-15/+16
| | | | | | | | | | These are recommended practices by REC-22 and REC-24 of RFC6092: "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service" Fixes FS#640 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* firewall3: update to Git head to support xtables API level > 11Jo-Philipp Wich2017-02-191-3/+3
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: fix forwarding local subnet trafficJo-Philipp Wich2017-01-131-3/+3
| | | | | | | | | | | | | Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: clean up and unify PKG_VERSION for git based downloadsFelix Fietkau2016-12-221-5/+3
| | | | | | Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall3: drop support for automatic NOTRACK rulesJo-Philipp Wich2016-12-141-3/+3
| | | | | | | | | | | | Update to current HEAD in order to drop automatic generation of per-zone NOTRACK rules. The NOTRACK rules used to provide a little performance improvement but the later introduction of the netfilter conntrack cache made those rules largely unnecessary. Additionally, those rules caused various issues which broke stateful firewalling in some scenarios. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to fix FS#31, FS#73, FS#154, FS#248Jo-Philipp Wich2016-11-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update to latest Git head in order to import several fixes and enhancements. - Disable drop invalid by default (FS#73, FS#154) Instead of dropping packets with conntrack state INVALID, only allow streams with explicit NEW or UNTRACKED conntrack state. This change gives user defined rules the chance to accept traffic like ICMPv6 multicast which would be filtered away by the very early ctstate INVALID drop rule otherwise. The old behaviour can be restored by explicitely setting "drop_invalid" to 1 in the global firewall config section. - Fix re-initialization of loadable iptables extensions on musl (FS#31) Since musl does not implement actual dlclose() semantics, it is impossible to re-run initializers on subsequent dlopen() calls. The firewall3 executable now intercepts the extension registration calls instead in order to be able to re-call them when needed. This also allowed us to switch to libxtables' builtin extension loader as a positive side-effect. - Fix masquerade rules for multiple negated IP addresses (FS#248) When building MASQUERADE rules for zones which specify multiple negated addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of the masquerading chain instead of creating multiple rules with inverted "-s" arguments. - Tag own rules using comments Instead of relying on the nonstandard xt_id match, use the xt_comment match to mark own rules. Existing comments are prefixed with "!fw3: " while uncommented rules are marked with a sole "!fw3" string. This allows removing the xt_id match entirely in a later commit. - Make missing ubus connection nonfatal Technically, firewall3 is able to operate without ubus just fine as long as the zones are declared using "option device" or "option subnet" instead of "option network" so do not abort execution if ubus could not be connected or of no network namespace is exported in ubus. This allows running firewall3 on ordinary Linux systems. - Fix conntrack requirement detection for indirectly connected zones The current code fails to apply the conntrack requirement flag recursively to zones, leading to stray NOTRACK rules which break conntrack based traffic policing. Change the implementation to iteratively reapply the conntrack fixup logic until no more zones had been changed in order to ensure that all directly and indirectly connected zones receive the conntrack requirement flag. - Add support for iptables 1.6.x Adds support for the xtables version 11 api in order to allow building against iptables 1.6.x Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* source: Switch to xz for packages and tools where possibleDaniel Engberg2016-10-061-1/+2
| | | | | | | | | | | * Change git packages to xz * Update mirror checksums in packages where they are used * Change a few source tarballs to xz if available upstream * Remove unused lines in packages we're touching, requested by jow- and blogic * We're relying more on xz-utils so add official mirror as primary source, master site as secondary. * Add SHA256 checksums to multiple git tarball packages Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* firewall3: update to latest git HEADJohn Crispin2016-07-241-2/+2
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* package/*: update git urls for project reposJohn Crispin2016-06-131-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* firewall3: fix mark rules for local traffic, fix race conditionJo-Philipp Wich2016-05-021-3/+4
| | | | | | | Update to latest HEAD in order to fix MARK rule generation for local traffic, also fix a possible race condition during firewall start. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: drop invalid by default, remove chain indirection, fix invert ↵Jo-Philipp Wich2016-01-291-3/+3
| | | | | | | | | | | | flags (#21738) * Enable drop_invalid by default to catch unnatted packets (#21738) * Fix processing of inversions for -i, -o, -s, -d and -p flags * Remove delegate_* chain indirection but rely on xt_id to identify own rules Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48551
* firewall: add CONFIG_IPV6 to PKG_CONFIG_DEPENDS to fix a rebuild errorFelix Fietkau2016-01-181-0/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48315
* firewall: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48128
* firewall: allow DHCPv6 traffic to/from fc00::/6 instead of fe80::/10Jo-Philipp Wich2015-09-251-2/+2
| | | | | | | | | | There is no RFC requirement that DHCPv6 servers must reply with a link local address and some ISP servers in the wild appear to using addresses in the ULA range to send DHCPv6 offers. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 47048
* firewall: depend on kmod-ipt-conntrack (#20542)Jo-Philipp Wich2015-09-171-1/+1
| | | | | | | | | Our ruleset requires kernel support for conntrack state matching, therfore depend on the require kmod. Fixes #20542. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 46990
* firewall: Remove src_port from firewall.config to receive dhcpv6 repliesSteven Barth2015-09-111-1/+0
| | | | | | | | | | Seems like my second try was again whitespace broken. Sorry for the noise. Remove src_port from firewall.config to receive dhcpv6 replies. Fixes #20295. Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de> SVN-Revision: 46842
* firewall: fix typo in ESP ruleSteven Barth2015-07-272-2/+2
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46506
* firewall: comply with REC-22, REC-24 of RFC 6092Steven Barth2015-07-242-13/+12
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46478
* firewall: link iptables extensions dynamicallyJo-Philipp Wich2015-05-261-7/+2
| | | | | | | | | | | | | | Use shared libipt{,4,6}ext.so libraries instead of statically linking the userspace matches into the fw3 executable. As a side effect the match initialization is extremely simplified compared to the weak function pointer juggling performed before. This also fixes the initialization of the multiport match. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45764
* firewall: Allow IGMP and MLD input on WANSteven Barth2015-05-051-0/+19
| | | | | | | | | | | | The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> SVN-Revision: 45613
* firewall: fix some more null-pointer accessesSteven Barth2015-02-261-2/+2
| | | | | | | | thanks to Hans Dedecker Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 44540
* firewall: respect src_dip option for reflection (#18544)Jo-Philipp Wich2015-01-081-3/+3
| | | | | | | | Also fix wrong IPv4 netmask calculation on x86-64, thanks Ulrich Weber. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 43874
* license info - revert r43155John Crispin2014-11-031-2/+0
| | | | | | | | turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 43167
* Add more license tags with SPDX identifiersJohn Crispin2014-11-031-0/+2
| | | | | | | | | | | | | | | | | | Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <mhei@heimpold.de> SVN-Revision: 43155
* Add a few SPDX tagsSteven Barth2014-11-021-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 43151
* firewall: allow '*' as synonym for any / all in family and proto optionsJo-Philipp Wich2014-09-191-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42620
* firewall: fix heap corruption in fw3_bitlen2netmask() with IPv6 addressesJo-Philipp Wich2014-09-181-2/+2
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42610
* firewall: fix invalid memory access when processing /128 IPv6 addresses from ↵Jo-Philipp Wich2014-09-171-2/+2
| | | | | | | | ubus, properly emit REDIRECT rules for local port forwards Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 42604
* package/*: remove useless explicit set of function returncodeJohn Crispin2014-08-251-4/+0
| | | | | | | | | | | | | | | | | | | | | | somebody started to set a function returncode in the validation stuff and everybody copies it, e.g. myfunction() { fire_command return $? } a function automatically returns with the last returncode, so we can safely remove the command 'return $?'. reference: http://tldp.org/LDP/abs/html/exit-status.html "The last command executed in the function or script determines the exit status." Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com> SVN-Revision: 42278